Malware is making headlines regularly these days, and even though Macs are targeted far less than Windows PCs, Mac users must still be vigilant. A particularly serious type of malware is called ransomware because it once infects your computer, encrypts all your files and keeps them loose.
Fortunately, despite the virulence of ransomware in the Windows World, where there have been major infections of CryptoWall and WannaCry, only a few bits of ransomware have been targeted at Mac users:
- The first, called FileCoder was discovered in 2014. When security researchers looked at the code, they discovered that it was incomplete and posed no threat at the time.
- The first fully functional ransomware for Mac appeared in 2016, a little nastiness called KeRanger . It hid into an infected version of the Open Source Transmission BitTorrent client and was properly signed so that it could bypass Apple's Gatekeeper protection. As many as 6500 people may have been infected by KeRanger before Apple revoked the appropriate certificate and updated macOS XProtect anti-malware technology to block it.
- In 2017, researchers discovered another ransomware called Patcher which claimed to help users download pirates of Adobe Premiere and Microsoft Office 2016. According to its Bitcoin wallet, no paid ransom had been paid good since there was no way to decrypt the files it had encrypted.
Realistic, do not worry too much. However, malware writers are likely to release more Mac ransomware packages in the future, so I encourage you to be aware, informed and prepared.
First, let me explain some of the key keywords and technologies. Apple's Gatekeeper technology protects your Mac from malicious software by just allowing you to launch applications downloaded from the Mac App Store or those signed by developers who have a developer ID from Apple. Since malware does not come from legitimate developers (and Apple can revoke stolen signatures), gatekeeper protects you from most malicious software. However, you can override Gatekeeper's protection to run an unsigned app. Do this only for apps from trusted developers. Apple's XProtect technology takes a more focused approach and controls each new app against a relatively short list of known malware and prevents apps on that list from launch. Make sure you leave the "Install system data files and security updates" checkbox selected in System Preferences> App Store. This ensures you get XProtect updates. Likewise, you can install MacOS updates and security updates shortly after they are released to ensure you are protected against newly discovered vulnerabilities that malware can exploit.
Also consider running malware software such as Malwarebytes or Mac Internet Security X9 . It's not absolutely necessary because anti-malware solutions are for Windows, but it makes it possible to calm your mind, especially if you regularly visit sketchy parts of the Internet or download dodgy software.
Although regular Backups with Time Machine are generally useful, KeRanger tried to encrypt Time Machine backup files to prevent users from recovering the data that way. Similarly, a bootable duplicate automatically updated by SuperDuper or Carbon Copy Cloner may end up replacing good files with encrypted from a ransomware-infected Mac or a future piece of ransomware can try to encrypt other backed up disks too.
The best protection against ransomware is a version-based backup made to a destination that can only be accessed through the backup application, such as an Internet security service such as Backblaze and business), CrashPlan business) or my favorite, Carbonite (home and business). The beauty of such backups is that you can recover files from before ransomware encrypted them. Of course, you assume you have backed up all the time.
If you've ever been infected with ransomware, do not panic, and do not pay loose money right away. Contact me so I can help you work through your options, which may result in a backup or restore of files from older filing versions. There are even descriptions for some Windows ransomware packages, and such tools can also be displayed for hypothetical Mac ransomware.
To repeat, there's no need to worry too much about ransomware on Mac, but Apple's XProtect keeps up to date, stays updated with MacOS updates, and using an Internet security service will probably protect you from it which may come.